add permissionsPolicy and deprecate featurePolicy

2021-06-21 21:16:13 +08:00 · 2021-06-21 21:16:13 +08:00 · dca348359b
commit dca348359b
parent cf0759a48f
14 changed files with 42 additions and 11 deletions
--- a/pkg/anonymize/anonymize_config_test.go
+++ b/pkg/anonymize/anonymize_config_test.go
@ -226,6 +226,7 @@ func TestDo_dynamicConfiguration(t *testing.T) {
 					PublicKey:                         "foo",
 					ReferrerPolicy:                    "foo",
 					FeaturePolicy:                     "foo",
+					PermissionsPolicy:                 "foo",
 					IsDevelopment:                     true,
 				},
 				Errors: &dynamic.ErrorPage{
--- a/pkg/anonymize/testdata/anonymized-dynamic-config.json
+++ b/pkg/anonymize/testdata/anonymized-dynamic-config.json
@ -178,6 +178,7 @@
          "publicKey": "xxxx",
          "referrerPolicy": "foo",
          "featurePolicy": "foo",
+          "permissionsPolicy": "foo",
          "isDevelopment": true
        },
        "errors": {
--- a/pkg/config/dynamic/middlewares.go
+++ b/pkg/config/dynamic/middlewares.go
@ -185,8 +185,10 @@ type Headers struct {
 	ContentSecurityPolicy   string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
 	PublicKey               string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
 	ReferrerPolicy          string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
-	FeaturePolicy           string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
-	IsDevelopment           bool   `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
+	// Deprecated: use PermissionsPolicy instead.
+	FeaturePolicy     string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
+	PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
+	IsDevelopment     bool   `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
 }

 // HasCustomHeadersDefined checks to see if any of the custom header elements have been set.
@ -229,6 +231,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 		h.PublicKey != "" ||
 		h.ReferrerPolicy != "" ||
 		h.FeaturePolicy != "" ||
+		h.PermissionsPolicy != "" ||
 		h.IsDevelopment)
 }

--- a/pkg/config/label/label_test.go
+++ b/pkg/config/label/label_test.go
@ -68,6 +68,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware8.headers.publickey":                                   "foobar",
 		"traefik.http.middlewares.Middleware8.headers.referrerpolicy":                              "foobar",
 		"traefik.http.middlewares.Middleware8.headers.featurepolicy":                               "foobar",
+		"traefik.http.middlewares.Middleware8.headers.permissionspolicy":                           "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslforcehost":                                "true",
 		"traefik.http.middlewares.Middleware8.headers.sslhost":                                     "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0":                       "foobar",
@ -580,6 +581,7 @@ func TestDecodeConfiguration(t *testing.T) {
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
+						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
 				},
@ -1063,6 +1065,7 @@ func TestEncodeConfiguration(t *testing.T) {
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
+						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
 				},
@ -1204,6 +1207,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey":                                   "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy":                              "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy":                               "foobar",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.PermissionsPolicy":                           "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost":                                "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost":                                     "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0":                       "foobar",
--- a/pkg/middlewares/headers/headers.go
+++ b/pkg/middlewares/headers/headers.go
@ -30,6 +30,9 @@ func handleDeprecation(ctx context.Context, cfg *dynamic.Headers) {
 	if cfg.SSLForceHost {
 		log.FromContext(ctx).Warn("SSLForceHost is deprecated, please use RedirectScheme middleware instead.")
 	}
+	if cfg.FeaturePolicy != "" {
+		log.FromContext(ctx).Warn("FeaturePolicy is deprecated, please use PermissionsPolicy header instead.")
+	}
 }

 type headers struct {
--- a/pkg/middlewares/headers/secure.go
+++ b/pkg/middlewares/headers/secure.go
@ -37,6 +37,7 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
 		SSLProxyHeaders:         cfg.SSLProxyHeaders,
 		STSSeconds:              cfg.STSSeconds,
 		FeaturePolicy:           cfg.FeaturePolicy,
+		PermissionsPolicy:       cfg.PermissionsPolicy,
 		SecureContextKey:        contextKey,
 	}

--- a/pkg/middlewares/headers/secure_test.go
+++ b/pkg/middlewares/headers/secure_test.go
@ -130,6 +130,13 @@ func Test_newSecure_modifyResponse(t *testing.T) {
 			},
 			expected: http.Header{"Feature-Policy": []string{"vibrate 'none';"}},
 		},
+		{
+			desc: "PermissionsPolicy",
+			cfg: dynamic.Headers{
+				PermissionsPolicy: "microphone=(),",
+			},
+			expected: http.Header{"Permissions-Policy": []string{"microphone=(),"}},
+		},
 		{
 			desc: "STSSeconds",
 			cfg: dynamic.Headers{
--- a/pkg/provider/kv/kv_test.go
+++ b/pkg/provider/kv/kv_test.go
@ -104,6 +104,7 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware09/headers/contentTypeNosniff":                           "true",
 		"traefik/http/middlewares/Middleware09/headers/accessControlAllowCredentials":                "true",
 		"traefik/http/middlewares/Middleware09/headers/featurePolicy":                                "foobar",
+		"traefik/http/middlewares/Middleware09/headers/permissionsPolicy":                            "foobar",
 		"traefik/http/middlewares/Middleware09/headers/forceSTSHeader":                               "true",
 		"traefik/http/middlewares/Middleware09/headers/sslRedirect":                                  "true",
 		"traefik/http/middlewares/Middleware09/headers/sslHost":                                      "foobar",
@ -596,6 +597,7 @@ func Test_buildConfiguration(t *testing.T) {
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
+						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
 				},